rtf_exploit_extractor is a Script to extract malicious payload and decoy document from CVE-2015-1641 exploit documents. This will also work on other rtf exploit docs using a similar begin/end marker and xor cipher.

Once decrypted, this shellcode is responsible for some key actions:
– Locate, decrypt, and execute the malware binary payload.
– Patch some key bytes in the registry to mask the MS Word crash (pursuant to the exploit)
– Locate, decrypt and display the decoy document.
The malware payload and decoy document are both contained inside the large binary segment appended to the end of the RTF file.

parser=argparse.ArgumentParser(description='Extract encrypted payload and decoy document from CVE-2015-1641 exploit documents. This will also work on other rtf exploit docs using a similar begin/end marker and xor cipher.')